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Summary 


The purpose of this guide is to provide a detailed overview of how to enable Qualys Context 
Extended Detection and Response (XDR). Qualys splits the enabling process over several phases. 
This guide covers the activities of Day 1, during which Qualys Context XDR is configured for a 


variety of data collection. 


Á Day 4 - Incident Mgmt 
Á Day 3 - Detection Model By Signal Dashboard 
A eee Ae |. Correlation Rules 
4 RIE |. tog Analytics Dashboard 


+ Log Enrichment 


+ Signal Investigation 


+ Context Enrichment 
+ Behavior Rules 


+ Special Object Setup 


+ Leverage Tags 


Day 0 - Deployment ; 
* 3" party Log Collection + Search Queries 


+ SIEM Data Ingestion 


+ Windows Log Collection 


+ Appliance Deployment 


* Syslog Collector Setup 
+ Windows Agent 


Day 1- Data Collection 


On Day 1, we will walk you through the steps to: 

1. Collect Windows Logs using Qualys Cloud Agents 

2. Collect Logs from Third-Party Sources 
NOTE: Before you proceed, ensure you have deployed an appliance and configured a collector as 
laid out in the Day 0 Enablement guide. Also, if you intend to use Qualys Cloud Agents to collect 
Windows logs, ensure that you have enabled the agents for XDR. 
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Collect Windows Logs using Qualys Cloud Agents 


Qualys Context XDR allows you to leverage existing Qualys Cloud Agents (Windows only) to 


collect event logs from assets on which agents are deployed. You can also deploy fresh agents 


and configure them to collect logs for XDR. 


After you have enabled XDR via a configuration profile and activated agents for XDR as part of 
Day 0, you now need to create a Cloud Agent Profile to define what logs you want to collect from 
hosts, where you want to collect them, and the assets you want to collect from. 


Follow these steps to configure a Cloud Agent Profile: 


1. From the Qualys Context XDR UI, navigate to the Configuration tab. 


© Qualys. cloud Platform 


Configurations 


= Data Collection 


Catalog 


34 


All Sources 


13 


Proof Point 


Add new 


Threat Intel 


® 


All Sources 


Add new 


Collectors 


19 


Sources 


13 


Appliances 


17 


ServiceNow 


Add new 


DASHBOARD THREAT MANAGEMENT. ADVANCED ANALYTICS RULES CONFIGURATION 


erence Overview 


[| Response Templates 


Email 


5 


ServiceNow 


Add new 


@ Cloud Agent Profiles 


Log collection profiles 


18 


Slack 


Pager 
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2. From the Configuration drop-down menu, select Cloud Agent Profiles. 


Configuration Overview Overview 
Data Collection 

Response Templates 

Special Objects 

Threat Intel 


Cloud Agent Profiles 


User Lists 


Catalog Collectors Appliances 
34 19 17 


All Sources Sources ServiceNow 


13 13 Add new 


Proof Point 


Add new 


3. On the Cloud Agent Profiles tab, click the New Profile button to begin creating a new Cloud 
Agent profile. 


© Qualys. cloud Platform 
XDR ~ DASHBOARD THREAT MANAGEMENT 
Q Search 
MANIFEST STATUS PROFILE NAME DESTINATION 
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4. Creating a new Cloud Agent Profile is a 4-step process. On the Basic Details step, enter a 
name and description for your profile. Also, select Windows as the Operating System. Click 


Next when done. 


< New Profile 


STEPS 1/4 


o Basic Detail 
2 Log Collection Details 
2 Destination Details 


4 Assign Assets 


Profile Basic Details 


Name * 


Test_profile 


Description 


Test 


Operating System 


Windows 


Cancel Next 


5. On the Log Collection Details step, select the type of logs you want to collect from hosts. 
Click Next when done. 


< New Profile 


STEPS 2/4 


Basic Detail 
Log Collection Details 


2 Destination Details 


4 Assign Assets 


Log Collection Details 

Please select atleast one type of log to collect from below list: 
Application 

Security 

System 


Windows Powershell 


|_| DNS (Applicable to Windows Server Only) 
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6. On the Destination Details step, choose where you want to forward the logs. You can choose 
to send the logs to Qualys Context XDR or to a third-party destination. If you decide to send it 
to a third-party destination, configure the destination details. 

Click Next when done. 


< New Profile 


STEPS 3/4 
Destination Details 
: Please select the destination where logs to be forwarded to: 
Basic Detail 
Log Collection Details © Extended Detection and Response 
Destination Details ) Third Party Destination Details 
a Assign Assets Host IP/Host name * 


cael 


7. Next, select the assets you want to collect logs from. You can select assets directly or by 
selecting tags associated with these assets. 


< New Profile 


STEPS 4/4 
Assign Assets 

fi 
Peepers Select Assets for this profile 
Log Collection Details 


Destination Details WIN7-213 x WING-207 x 


Assign Assets 


Select Asset Tags for this profile 


8. Finally, click Save Profile to save this new Cloud Agent Profile. 


When the profile is created, Qualys Cloud Agents collect the logs you chose from the assets you 
selected and forwards them to the destination you configured. 
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Collect Logs from Third-Party Sources 


With Qualys Context XDR, you can ingest logs from several different third-party sources. 
Before you ingest data from other systems, ensure you have deployed an appliance and 
configured a collector on it. See the Online Help or the Day 0 Enablement guide for more 


information. 


Follow these steps to configure XDR to receive logs from third-party sources: 
1. From the Qualys Context XDR UI, navigate to the Configuration tab. 


© Qualys. cloud Platform 


Configurations 


Æ Data Collection 


Catalog 
34 


All Sources 


13 


Proof Point 


Add new 


© Threat Intel 


All Sources 


Add new 


Collectors 


19 


Sources 


13 


eee ENA Overview 


Appliances 


17 


ServiceNow 


Add new 


DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS RULES CONFIGURATION 


=) Response Templates 


Email Slack Pager 
5 5 6 
ServiceNow 

Add new 


@ Cloud Agent Profiles 


Log collection profiles 


18 


2. From the Configuration drop-down menu, select Data Collection to view the Catalog page. 


© Qualys. Cloud Platform 


XDR 


Overview 


Data Collection 


Response Templates 
Special Objects 
Threat Intel 

Cloud Agent Profiles 


User Lists 
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3. The Catalog page displays all the third-party data sources from where you can ingest logs. 


Data Collection ¥ caas Sources Collectors Appliances 
Q Sear 
0 = Tate 
Total Sources ais aa 1-400f 40 0 5) 
E A : R : 4 : : Check Point 
pm Giramai ARBOR T N BLUE COAT I Check Point 
Cisco 4 Akamai Arbor-APS Barracuda Bluecoat Checkpoint 
sane z WAF DDoS WAF Proxy Firewall 
a i z | anasa 1 Configured 1 Configured 1 Configured 2 Configured 
| 
Proofpoint 2 
| 26 more 
SOURCE TYPE : ; : 5 
EVENT_SOURCE 37 IE Check Point aliaje aliali ajiaji abafi 
d DOE: cisco cisco cisco cisco 
THREAT INTEL 
Checkpoint Cisco Cisco Cisco Cisco 
RELEASE DATE IPS IPS IAM Proxy Endpoint 
IES 2 | 8 Configured 9 Configured 3 Configured 5 Configured 8 Configured 
042020 3 
| 922020 3 
942021 1 
lees i alali i OpenDNS aliali ; DLOZILD À G 
cisco cisco cisco 
| STATUS Cisco Anyconnect Cisco OpenDNS Cisco Sourcefire Cisco-ASA Citrix 
‘Avaliable! au VPN Proxy IPS Firewall Loadbalancer 
8 Configured Available 3 Configured 14 Configured 1 Configured 
DEVICE FAMILY 
iPS t a + 


4. In this guide, we will use Bluecoat Proxy as an example. Click the : icon on the Bluecoat Proxy 
card and then click the Configure New Bluecoat option. 
NOTE: Each source might require different parameters, so if you run into any issues, contact 
your Solutions Architect or Qualys Support. 


| 
Blue®Coat Configure New Bluecoat 


View Configured Sources 


Bluecoat 
Proxy Pr 
4 Configured Avai 


5. On the Configure Event Source screen, enter a name and description for this data source you 
are trying to configure, and then click Next. 


<* Configure Event Source 


STEPS 1/4 
Basic Details 


@ Basic Details 


2 Collector Preferences 


3 Device Configuration 


Description 


+ Review & confirm 


Cancel 
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6. On the Collector Preferences step, select a collector that you want to use to collect data from 
this source. The Collector drop-down displays all the collectors you configured so far. If you 


do not have a collector configured so far, see the Online Help or the Day 0 Enablement guide. 


| <- Configure Event Source 


STEPS 2/4 
Collection setup 


ll * 
Collector Preferences caer 


? Basic Detail Select from existing collectors to use a collector that has already been installed or click New Collector to create a new one. 
asic Details 


New_test-sys_ 10.114.252.16 


23 Device Configuration 
4 Review & confirm Selected collector details 
Name New_test-sys_ 10.114.252.16 
Description New_test-sys_ 10.114.252.16 
Status Active 
Created on Jul 5, 2021 11:22 pm 
Device Type * Model * 


] | 
Proxy | Bluecoat 


Aa 


Confirm the collector details, the device type, and the device model and click Next. 
8. On the Device Configuration step, define the following: 


i. Log Format 
li. Version 


iii. | Host/IP Address of the Device Type - Host/IP address of the device from where you 
want to send logs 


iv. Timezone 
v. Filter - Define a filter to include only events that match the specific attributes 


< Configure Event Source 


STEPS 3/4 
Device Configuration 


Basic Details Log Format * EER 
Collector Preferences SYSLOG | | v1.0 


Device Configuration 
Host/IP Address of Device Type * 


2 Review & confirm | 192.128.11.123 


Timezone * 


| (GMT 00:00) Coordinated Universal Time (UTC UTC) 
l miii = chit = d 


Fiter @ 


Cancel 
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9. Finally, review all the configuration details before saving. If the details are correct, click Add 
Event Source. 


<— Configure Event Source 


STEPS 4/4 
Basic Details 


Basic Details Name 
Collector Preferences Description 
Device Configuration Selected collector details 
Review & confirm Name New_test-sys_ 10.114.252.16 
Description New_test-sys_ 10.114.252.16 
Status Active 
Created on Jul 5, 2021 11:22 pm 
Device Configuration 
Device Type Proxy 
Device Model Bluecoat 
Log Format SYSLOG 
Version v1.0 
Host/IP Address 192.128.11.123 
Directory Configuration NA 
TimeZone UTC 


Filter 


Cancel Previous Add Event Source 


When the event source is configured, the event source is listed under Configuration > Data 
Collection > Sources tab. Based on your configurations, the event source will start receiving data 
from this source on the configured appliance’s IP address and collector’s port address. 


NOTE: For information on collecting logs from ServiceNow or Proof Point, refer the Online Help. 
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